Tag Archives: Privacy

NSA Abandons "About" Searches

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/nsa_abandons_ab.html

Earlier this month, the NSA said that it would no longer conduct “about” searches of bulk communications data. This was the practice of collecting the communications of Americans based on keywords and phrases in the contents of the messages, not based on who they were from or to.

The NSA’s own words:

After considerable evaluation of the program and available technology, NSA has decided that its Section 702 foreign intelligence surveillance activities will no longer include any upstream internet communications that are solely “about” a foreign intelligence target. Instead, this surveillance will now be limited to only those communications that are directly “to” or “from” a foreign intelligence target. These changes are designed to retain the upstream collection that provides the greatest value to national security while reducing the likelihood that NSA will acquire communications of U.S. persons or others who are not in direct contact with one of the Agency’s foreign intelligence targets.

In addition, as part of this curtailment, NSA will delete the vast majority of previously acquired upstream internet communications as soon as practicable.

[…]

After reviewing amended Section 702 certifications and NSA procedures that implement these changes, the FISC recently issued an opinion and order, approving the renewal certifications and use of procedures, which authorize this narrowed form of Section 702 upstream internet collection. A declassification review of the FISC’s opinion and order, and the related targeting and minimization procedures, is underway.

A quick review: under Section 702 of the Patriot Act, the NSA seizes a copy of all communications moving through a telco — think e-mail and such — and searches it for particular senders, receivers, and — until recently — key words. This pretty clearly violates the Fourth Amendment, and groups like the EFF have been fighting the NSA in court about this for years. The NSA has also had problems in the FISA court about these searches, and cites “inadvertent compliance incidents” related to this.

We might learn more about this change. Again, from the NSA’s statement:

After reviewing amended Section 702 certifications and NSA procedures that implement these changes, the FISC recently issued an opinion and order, approving the renewal certifications and use of procedures, which authorize this narrowed form of Section 702 upstream internet collection. A declassification review of the FISC’s opinion and order, and the related targeting and minimization procedures, is underway.

And the EFF is still fighting for more NSA surveillance reforms.

WannaCry Ransomware

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/wannacry_ransom.html

Criminals go where the money is, and cybercriminals are no exception.

And right now, the money is in ransomware.

It’s a simple scam. Encrypt the victim’s hard drive, then extract a fee to decrypt it. The scammers can’t charge too much, because they want the victim to pay rather than give up on the data. But they can charge individuals a few hundred dollars, and they can charge institutions like hospitals a few thousand. Do it at scale, and it’s a profitable business.

And scale is how ransomware works. Computers are infected automatically, with viruses that spread over the internet. Payment is no more difficult than buying something online ­– and payable in untraceable bitcoin -­- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin. Customer service is important; people need to know they’ll get their files back once they pay.

And they want you to pay. If they’re lucky, they’ve encrypted your irreplaceable family photos, or the documents of a project you’ve been working on for weeks. Or maybe your company’s accounts receivable files or your hospital’s patient records. The more you need what they’ve stolen, the better.

The particular ransomware making headlines is called WannaCry, and it’s infected some pretty serious organizations.

What can you do about it? Your first line of defense is to diligently install every security update as soon as it becomes available, and to migrate to systems that vendors still support. Microsoft issued a security patch that protects against WannaCry months before the ransomware started infecting systems; it only works against computers that haven’t been patched. And many of the systems it infects are older computers, no longer normally supported by Microsoft –­ though it did belatedly release a patch for those older systems. I know it’s hard, but until companies are forced to maintain old systems, you’re much safer upgrading.

This is easier advice for individuals than for organizations. You and I can pretty easily migrate to a new operating system, but organizations sometimes have custom software that breaks when they change OS versions or install updates. Many of the organizations hit by WannaCry had outdated systems for exactly these reasons. But as expensive and time-consuming as updating might be, the risks of not doing so are increasing.

Your second line of defense is good antivirus software. Sometimes ransomware tricks you into encrypting your own hard drive by clicking on a file attachment that you thought was benign. Antivirus software can often catch your mistake and prevent the malicious software from running. This isn’t perfect, of course, but it’s an important part of any defense.

Your third line of defense is to diligently back up your files. There are systems that do this automatically for your hard drive. You can invest in one of those. Or you can store your important data in the cloud. If your irreplaceable family photos are in a backup drive in your house, then the ransomware has that much less hold on you. If your e-mail and documents are in the cloud, then you can just reinstall the operating system and bypass the ransomware entirely. I know storing data in the cloud has its own privacy risks, but they may be less than the risks of losing everything to ransomware.

That takes care of your computers and smartphones, but what about everything else? We’re deep into the age of the “Internet of things.”

There are now computers in your household appliances. There are computers in your cars and in the airplanes you travel on. Computers run our traffic lights and our power grids. These are all vulnerable to ransomware. The Mirai botnet exploited a vulnerability in internet-enabled devices like DVRs and webcams to launch a denial-of-service attack against a critical internet name server; next time it could just as easily disable the devices and demand payment to turn them back on.

Re-enabling a webcam will be cheap; re-enabling your car will cost more. And you don’t want to know how vulnerable implanted medical devices are to these sorts of attacks.

Commercial solutions are coming, probably a convenient repackaging of the three lines of defense described above. But it’ll be yet another security surcharge you’ll be expected to pay because the computers and internet-of-things devices you buy are so insecure. Because there are currently no liabilities for lousy software and no regulations mandating secure software, the market rewards software that’s fast and cheap at the expense of good. Until that changes, ransomware will continue to be profitable line of criminal business.

This essay previously appeared in the New York Daily News.

UK Schedule 7 – Man Charged For Not Sharing Password

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/aGBaFnpXHK4/

Finally UK Schedule 7 of the Terrorism Act 2000 is finally being enacted and is no longer an idle threat, so be aware it’s not only the USA that has these kind of draconian laws. A man who refused to share his phone and laptop passwords has been charged under Schedule 7, which is pretty […]

The post UK Schedule 7 – Man Charged For Not…

Read the full post at darknet.org.uk

EU Votes Today On Content Portability to Reduce Piracy (Updated)

Post Syndicated from Andy original https://torrentfreak.com/eu-votes-today-on-content-portability-to-reduce-piracy-170518/

Being a fully-paid up customer of a streaming service such as Spotify or Netflix should be a painless experience, but for citizens of the EU, complexities exist.

Subscribers of Netflix, for example, have access to different libraries, depending on where they’re located. This means that a viewer in the Netherlands could begin watching a movie at home, travel to France for a weekend break, and find on arrival that the content he paid for is not available there.

A similar situation can arise with a UK citizen’s access to BBC’s iPlayer. While he has free access to the service he previously paid for while at home, travel to Spain for a week and access is denied, since the service believes he’s not entitled to view.

While the EU is fiercely protective of its aim to grant free movement to both people and goods, this clearly hasn’t always translated well to the digital domain. There are currently no explicit provisions under EU law which mandate cross-border portability of online content services.

Following a vote today, however, all that may change.

In a few hours time, Members of the European Parliament will vote on whether to introduce new ‘Cross-border portability’ rules (pdf), that will give citizens the freedom to enjoy their media wherever they are in the EU, without having to resort to piracy.

“If you live for instance in Germany but you go on holiday or visit your family or work in Spain, you will be able to access the services that you had in Germany in any other country in the Union, because the text covers the EU,” says Jean-Marie Cavada, the French ALDE member responsible for steering the new rules through Parliament.

But while freedom to receive content is the aim, there will be a number of restrictions in practice. While travelers to other EU countries will get access to the same content they would back home on the same range of devices, it will only be available on a temporary basis.

People traveling on a holiday, business, or study trip will enjoy the freedom to consume “for a limited period.” Extended stays will not be catered for under the new rules so as not to upset licensing arrangements already in place between rightsholders and service providers.

So how will the system work in practice?

At the moment, services like Netflix use the current IP address of the subscriber to determine where they are and therefore which regional library they’ll have access to when they sign in.

It appears that a future system would have to consider in which country the user signed up, before checking to ensure that the user trying to access the service in another EU country is the same person. That being said, if copyright holders agree, service providers can omit the verification process.

“The draft text to be voted on calls for safeguarding measures to be included in the regulation to ensure that the data and privacy of users are respected throughout the verification process,” European Parliament news said this week.

If adopted, the new rules would come into play during the first six months of 2018 and would apply to subscriptions already in place.

Separately, MEPs are also considering new rules on geo-blocking “to ensure that online sellers do not discriminate against consumers” because of where they live in the EU.

Update: The vote has passed. Here is the full statement by Vice-President for the Digital Single Market, Andrus Ansip.

I welcome today’s positive vote of the European Parliament on the portability of online content across borders, following the agreement reached between the European Parliament, Council and Commission at the beginning of the year.

I warmly thank the European Parliament rapporteur Jean-Marie Cavada for his work in achieving this and look forward to final approval by Member States in the coming weeks.

The rules voted today mean that, as of the beginning of next year, people who have subscribed to their favourite series, music and sports events at home will be able to enjoy them when they travel in the European Union.

Combined with the end of roaming charges, it means that watching films or listening to music while on holiday abroad will not bring any additional costs to people who use mobile networks.

This is an important step in breaking down barriers in the Digital Single Market.

We now need agreements on our other proposals to modernise EU copyright rules and ensure wider access to creative content across borders and fairer rules for creators. I rely on the European Parliament and Member States to make swift progress to make this happen.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Github Dorks – Github Security Scanning Tool

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/tanX0m9KJM0/

Github search is quite a powerful and useful feature and can be used to search for sensitive data in repositories, this Github security scanning tool comes with a collection of Github dorks that can reveal sensitive personal and/or other proprietary organisational information such as private keys, credentials, authentication tokens and so on….

Read the full post at darknet.org.uk

ISP Bombarded With 82,000+ Demands to Reveal Alleged Pirates

Post Syndicated from Andy original https://torrentfreak.com/isp-bombarded-with-82000-demands-to-reveal-alleged-pirates-170513/

It was once a region where people could share files without fear of reprisal, but over the years Scandinavia has become a hotbed of ‘pirate’ prosecutions.

Sweden, in particular, has seen many sites shut down and their operators sentenced, notably those behind The Pirate Bay but also more recent cases such as those against DreamFilm and Swefilmer.

To this backdrop, members of the public have continued to share files, albeit in decreasing numbers. However, at the same time copyright trolls have hit countries like Sweden, Finland, and Denmark, hoping to scare alleged file-sharers into cash settlements.

This week regional ISP Telia revealed that the activity has already reached epidemic proportions.

Under the EU IPR Enforcement Directive (IPRED), Internet service providers are required to hand over the personal details of suspected pirates to copyright holders, if local courts deem that appropriate. Telia says it is now being bombarded with such demands.

“Telia must adhere to court decisions. At the same time we have a commitment to respect the privacy of our customers and therefore to be transparent,” the company says.

“While in previous years Telia has normally received less than ten such [disclosure] requests per market, per year, lately the number of requests has increased significantly.”

The scale is huge. The company reports that in Sweden during the past year alone, it has been ordered to hand over the identities of subscribers behind more than 45,000 IP addresses.

In Finland during the same period, court orders covered almost 37,000 IP addresses. Four court orders in Denmark currently require the surrendering of data on “hundreds” of customers.

Telia says that a Danish law firm known as Njord Law is behind many of the demands. The company is connected to international copyright trolls operating out of the United States, United Kingdom, and elsewhere.

“A Danish law firm (NJORD Law firm), representing the London-based copyright holder Copyright Management Services Ltd, was recently (2017-01-31) granted a court order forcing Telia Sweden to disclose to the law firm the subscriber identities behind 25,000 IP-addresses,” the company notes.

Copyright Management Services Ltd was incorporated in the UK during October 2014. Its sole director is Patrick Achache, who also operates German-based BitTorrent tracking company MaverickEye. Both are part of the notorious international trolling operation Guardaley.

Copyright Management Services, which is based at the same London address as fellow UK copyright-trolling partner Hatton and Berkeley, filed accounts in June 2016 claiming to be a dormant company. Other than that, it has never filed any financial information.

Copyright Management Services will be legally required to publish more detailed accounts next time around, since the company is now clearly trading, but its role in this operation is far from clear. For its part, Telia hopes the court has done the necessary checking when handing information over to partner firm, Njord Law.

“Telia assumes that the courts perform adequate assessments of the evidence provided by the above law firm, and also that the courts conduct a sufficient assessment of proportionality between copyright and privacy,” the company says.

“Telia does not know what the above law firm intends to do with the large amount of customer data which they are now collecting.”

While that statement from Telia is arguably correct, it doesn’t take a genius to work out where this is going. Every time that these companies can match an IP address to an account holder, they will receive a letter in the mail demanding a cash settlement. Anything that substantially deviates from this outcome would be a very surprising development indeed.

In the meantime, Jon Karlung, the outspoken boss of ISP Bahnhof, has pointed out that if Telia didn’t store customer IP addresses in the first place, it wouldn’t have anything to hand out to copyright trolls.

“Bahnhof does not store this data – and we can’t give out something we do not have. The same logic should apply to Telia,” he said.

Bahnhof says it stores customer data including IP addresses for 24 hours, just long enough to troubleshoot technical issues but nowhere near long enough to be useful to trolls.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Announcing the Tails Social Contract

Post Syndicated from ris original https://lwn.net/Articles/722257/rss

The Amnesic Incognito Live System (Tails) has adopted
a Social
Contract
, based on the Debian Social Contract and the Tor Social
Contract. “We believe that privacy, the free exchange of ideas, and equal access to information are essential to free and open societies. Through our community standards and the tools we create, we provide means that empower all people to protect and advance these ideals.

US Court Orders Registries to Seize Control of ‘Pirate’ Domains

Post Syndicated from Andy original https://torrentfreak.com/us-court-orders-registries-seize-control-of-pirate-domains-170508/

ABS-CBN is the largest media and entertainment company in the Philippines and it is extremely aggressive when it comes to protecting its intellectual property. In fact, it now targets way more ‘pirate’ sites in the United States than the MPAA.

One of the tactics employed by ABS-CBN is targeting the domains of ‘pirate’ sites. On several occasions, the TV outfit has found courts willing to step in with ex parte orders, based on allegations of copyright and trademark infringement.

The United States District Court for the Southern District of Florida is a popular venue for ABS-CBN and in April the company approached the Court again, this time with allegations against 19 streaming platforms (list below).

“Through their websites operating under the Subject Domain Names, Defendants advertise and hold out to the public that they have ABS-CBN’s copyrighted content and perform ABS-CBN’s copyrighted content over the Internet, in order to illegally profit from ABS-CBN’s intellectual property, without ABS-CBN’s consent,” the company wrote in its complaint.

“Defendants’ entire Internet-based website businesses amount to nothing more than illegal operations established and operated in order to infringe the intellectual property rights of ABS-CBN and others.”

Claiming direct and contributory copyright infringement, trademark infringement and unfair competition, among other things, ABS-CBN demanded maximum statutory damages of $150,000 per infringement, plus injunctive relief to avoid future infringement. Following an ex parte process, the Court responded favorably.

In an order granting a preliminary injunction, the Florida district court agreed that the sites present an ongoing threat to ABS-CBN’s business and it’s likely they’ll continue to deceive the public by illegally using the company’s trademarks and content without a license.

Judge Robert N.Scola Jr. restrained everyone connected to the sites from “advertising, promoting, copying, broadcasting, publicly performing, and/or distributing” any of ABS-CBN’s content and/or abusing its trademarks.

While this is fairly standard for this kind of process, it was also remarkably easy for ABS-CBN to deprive the sites of their domains.

In his order, the Judge ordered the domain registrars of the ‘pirate’ sites to transfer the domains to a holding account operated by a new registrar of ABS-CBN’s choosing, pending the outcome of the case. If they fail to do that within a single business day, the TLD (top-level domain) registries are instructed to do it for them.

While the case is underway, each domain is ordered to be re-directed away from the pirate sites and towards a new URL displaying copies of the complaint and subsequent orders.

“After the New Registrar has effected this change, the Subject Domain Names shall be placed on lock status, preventing the modification or deletion of the domains by the New Registrar or the Defendants,” the order reads.

While 19 domains are listed, any other domains “properly brought to the Court’s attention” can be seized in the same manner, the order notes.

Since the ‘pirate’ site operators are unlikely to defend the action, the domains are almost certainly out of reach already. ABS-CBN says it now wants $40m in damages, so arguing over the fate of a few domains is probably low on the operators’ agenda.

“We will continue to shut down these pirate sites to protect the public from harm,” said ABS-CBN assistant vice president and head of global anti-piracy Elisha Lawrence.

“There is only one genuine ABS-CBN internet subscription service that is safe for our fans to use and that is TFC and TFC.t.”

The affected domains

cinesilip.net
pinoychanneltv.me
pinoytambayantv.me
pinoytambayanreplay.net
drembed.com
embeds.me
fullpinoymovies.com
lambingan.ph
magtvna.com
pinoye.com
pinoyteleserye.org
pinoytvnetwork.net
pinoytopmovies.info
teleserye.me
watchpinaytv.com
wildpinoy.net
pinoy-hd.com
pinoytvreplay.ws
pinoychannel.co
wowpinoytambayan.ws
pinoytelebyuwers.se

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Using Ultrasonic Beacons to Track Users

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/using_ultrasoni.html

I’ve previously written about ad networks using ultrasonic communications to jump from one device to another. The idea is for devices like televisions to play ultrasonic codes in advertisements and for nearby smartphones to detect them. This way the two devices can be linked.

Creepy, yes. And also increasingly common, as this research demonstrates:

Privacy Threats through Ultrasonic Side Channels on Mobile Devices

by Daniel Arp, Erwin Quiring, Christian Wressnegger and Konrad Rieck

Abstract: Device tracking is a serious threat to the privacy of users, as it enables spying on their habits and activities. A recent practice embeds ultrasonic beacons in audio and tracks them using the microphone of mobile devices. This side channel allows an adversary to identify a user’s current location, spy on her TV viewing habits or link together her different mobile devices. In this paper, we explore the capabilities, the current prevalence and technical limitations of this new tracking technique based on three commercial tracking solutions. To this end, we develop detection approaches for ultrasonic beacons and Android applications capable of processing these. Our findings confirm our privacy concerns: We spot ultrasonic beacons in various web media content and detect signals in 4 of 35 stores in two European cities that are used for location tracking. While we do not find ultrasonic beacons in TV streams from 7 countries, we spot 234 Android applications that are constantly listening for ultrasonic beacons in the background without the user’s knowledge.

News article. BoingBoing post.

PwnBin – Python Pastebin Search Tool

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/CufPimRD0k4/

PwnBin is a webcrawler or Pastebin search tool which searches public pastebins for specified keywords. All pastes are then returned after sending completion signal CTRL+C. Apart from being a great tool for developers, Pastebins are often used by hackers to leak stolen credentials or d0x people. This tool can help you search pastebins for your…

Read the full post at darknet.org.uk

ISP Lands Supreme Court Win Over Copyright Trolls

Post Syndicated from Andy original https://torrentfreak.com/isp-lands-supreme-court-win-over-copyright-trolls-170505/

Every day, millions of people use BitTorrent to obtain free movies, TV shows, and music but many aren’t aware that their activities can be monitored. Most monitoring is relatively benign but there are companies out there who make a living from threatening to sue file-sharers.

These so-called ‘copyright trolls’ share files along with regular users, capture their IP addresses and trace them back to their ISPs. From there, ISPs are asked to hand over the alleged pirates’ names and addresses so trolls can extract a cash settlement from them, but most ISPs demand a court process before doing so.

Over in Norway, a company called Scanbox Entertainment hired German anti-piracy outfit Excipio to track people sharing the movie ‘The Captive’. Between November 27 and December 1, 2015, the company reportedly found eight customers of telecoms giant Telenor doing so. While the numbers are small, initial cases are often presented this way to attract less attention in advance of bigger moves.

During December 2015, Scanbox sent a request to the Oslo District Court to force Telenor to hand over its subscribers’ information. It also asked the Court to prevent the ISP from deleting or anonymizing logs that could identify the alleged infringers.

In May 2016 Scanbox won its case, and Telenor was ordered to hand over the names and postal addresses of its subscribers. However, determined to protect its customers’ privacy (now and for similar cases in the future), the ISP filed an appeal.

At the Court of Appeal in September 2016, the tables were turned when it was decided that Telenor wouldn’t have to hand over the personal information of its customers after all. The evidence of the alleged infringements failed to show that any sharing was substantial.

But after coming this far and with lots of potential settlement payments at stake, Scanbox refused to give in, taking its case all the way to the Supreme Court where a panel of judges was asked to issue a definitive ruling. The decision just handed down by the Court is bad news for Scanbox.

In essence, the Court weighed Scanbox’s right to protect copyright versus Norwegian citizens’ right to privacy. If the former is to trump the latter, then any copyright infringements must be of a serious nature. The panel of judges at the Supreme Court felt that the evidence presented against Telenor’s customers was not good enough to prove infringement beyond the threshold. The panel, therefore, upheld the earlier decision of the Court of Appeal.

Torgeir Waterhouse of Internet interest group ICT Norway says that online privacy should always be respected and not disregarded as the rightsholders and their law firm, Denmark-based Njord Law, would like.

“This is not about enforcing copyright, this is about what methods are acceptable to use within the law,” Waterhouse says.

“This is an important decision that sends an important message to the licensees and Njord Law that the rule of law can not be set aside in their eagerness to deal with illegal file-sharing. We are very pleased that Njord’s frivolous activity has been stopped. We expect licensees to act responsibly and respect both privacy and the rule of law.”

ScanBox is now required to pay Telenor almost $70,000 in costs, a not insignificant amount that should give reason to pause before future trolling efforts get underway in Norway.

Full decision (Norwegian, pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Skytorrents: A Refreshing Ad-free and Privacy Focused Torrent Site

Post Syndicated from Ernesto original https://torrentfreak.com/skytorrents-a-refreshing-ad-free-and-privacy-focused-torrent-site-170430/

Many file-sharing fans see torrent site operators as like Robin Hood, serving free goods to the public at great risk with minimal financial incentive.

Copyright holders, on the other hand, portray the same people as greedy criminals who are exploiting their work for financial gain, subjecting the public to malicious ads.

While there is no standard torrent site owner, the truth often lies somewhere in the middle. Many site owners make money but not the millions that are sometimes claimed. And yes most sites have shady ads, but that’s often because these are pushed by the advertising networks they use.

A torrent site without ads is rare, but a few months ago a newcomer appeared that promised just that.

When Skytorrents first showed up, advertising an ad-free and privacy-focused service, we were skeptical. They wouldn’t be the first to start this way but change their tune when visitors started coming in.

However, months later the site is still around, so we decided to ask why they do what they do and how they are able to survive.

“We will NEVER place any ads. The site will remain ad-free or it will shut down. When our funds dry up, we will go for donations. We can also handover to someone with similar intent, interests, and the goal of a private and ad-free world,” Skytorrents’ operator informed us.

“The main motivation is to showcase an ad-free experience to users. We are giving something good back to society.”

Setting up a torrent site without ads isn’t hard, but the privacy element is trickier. To achieve this Skytorrents has had to make a lot of concessions, both in design and the general functioning of the site.

Skytorrents

Users will not be able to create an account, for example, as that created a weak spot. The same is true for Javascript, which isn’t used at all.

“For example, using a CDN breaches user privacy. As far as complete privacy is concerned, either there is complete privacy or zero privacy. For maintaining complete privacy, we do not use cookies, java scripts or user logins. We also do not have any moderators,” Skytorrents informed us.

The result is a surprisingly fast and clean search engine, that runs from a CentOS operated server with a bunch of C code, but without common tools such as PHP or MySQL.

As for the torrents, these are all collected from BitTorrent’s DHT network. Before they are listed all torrents have to pass through two spam detection algorithms which get better and better every day.

In addition, there is also a separate tool that “confirms” torrents to be genuine. While 99% of the torrents are spam-free already, for “genuine” torrents this goes up to nearly 100%.

“We also have another algorithm which validates and marks genuine torrents. However, note that 99% of listed torrents are spam free. A genuine marked torrent can be assured 99.99 % of the time,” Skytorrents’ operator says.

At the time of writing, Skytorrents lists 12,645,486 torrents and the site’s operators plan to keep expanding their database, as well as the number of users while keeping their ad-free and privacy oriented values.

Whether they will be able to pull this off has yet to be seen, but over the past few months they’ve kept their promise.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Stealing Browsing History Using Your Phone’s Ambient Light Sensor

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/04/stealing_browsi.html

There has been a flurry of research into using the various sensors on your phone to steal data in surprising ways. Here’s another: using the phone’s ambient light sensor to detect what’s on the screen. It’s a proof of concept, but the paper’s general conclusions are correct:

There is a lesson here that designing specifications and systems from a privacy engineering perspective is a complex process: decisions about exposing sensitive APIs to the web without any protections should not be taken lightly. One danger is that specification authors and browser vendors will base decisions on overly general principles and research results which don’t apply to a particular new feature (similarly to how protections on gyroscope readings might not be sufficient for light sensor data).

Reading Analytics and Privacy

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/04/reading_analyti.html

Interesting paper: “The rise of reading analytics and the emerging calculus of reading privacy in the digital world,” by Clifford Lynch:

Abstract: This paper studies emerging technologies for tracking reading behaviors (“reading analytics”) and their implications for reader privacy, attempting to place them in a historical context. It discusses what data is being collected, to whom it is available, and how it might be used by various interested parties (including authors). I explore means of tracking what’s being read, who is doing the reading, and how readers discover what they read. The paper includes two case studies: mass-market e-books (both directly acquired by readers and mediated by libraries) and scholarly journals (usually mediated by academic libraries); in the latter case I also provide examples of the implications of various authentication, authorization and access management practices on reader privacy. While legal issues are touched upon, the focus is generally pragmatic, emphasizing technology and marketplace practices. The article illustrates the way reader privacy concerns are shifting from government to commercial surveillance, and the interactions between government and the private sector in this area. The paper emphasizes U.S.-based developments.

AWS and the General Data Protection Regulation (GDPR)

Post Syndicated from Stephen Schmidt original https://aws.amazon.com/blogs/security/aws-and-the-general-data-protection-regulation/

European Union image

Just over a year ago, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). The GDPR is the biggest change in data protection laws in Europe since the 1995 introduction of the European Union (EU) Data Protection Directive, also known as Directive 95/46/EC. The GDPR aims to strengthen the security and protection of personal data in the EU and will replace the Directive and all local laws relating to it.

AWS welcomes the arrival of the GDPR. The new, robust requirements raise the bar for data protection, security, and compliance, and will push the industry to follow the most stringent controls, helping to make everyone more secure. I am happy to announce today that all AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018.

In this blog post, I explain the work AWS is doing to help customers with the GDPR as part of our continued commitment to help ensure they can comply with EU Data Protection requirements.

What has AWS been doing?

AWS continually maintains a high bar for security and compliance across all of our regions around the world. This has always been our highest priority—truly “job zero.” The AWS Cloud infrastructure has been architected to offer customers the most powerful, flexible, and secure cloud-computing environment available today. AWS also gives you a number of services and tools to enable you to build GDPR-compliant infrastructure on top of AWS.

One tool we give you is a Data Processing Agreement (DPA). I’m happy to announce today that we have a DPA that will meet the requirements of the GDPR. This GDPR DPA is available now to all AWS customers to help you prepare for May 25, 2018, when the GDPR becomes enforceable. For additional information about the new GDPR DPA or to obtain a copy, contact your AWS account manager.

In addition to account managers, we have teams of compliance experts, data protection specialists, and security experts working with customers across Europe to answer their questions and help them prepare for running workloads in the AWS Cloud after the GDPR comes into force. To further answer customers’ questions, we have updated our EU Data Protection website. This website includes information about what the GDPR is, the changes it brings to organizations operating in the EU, the services AWS offers to help you comply with the GDPR, and advice about how you can prepare.

Another topic we cover on the EU Data Protection website is AWS’s compliance with the CISPE Code of Conduct. The CISPE Code of Conduct helps cloud customers ensure that their cloud infrastructure provider is using appropriate data protection standards to protect their data in a manner consistent with the GDPR. AWS has declared that Amazon EC2, Amazon S3, Amazon RDS, AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon Elastic Block Storage (Amazon EBS) are fully compliant with the CISPE Code of Conduct. This declaration provides customers with assurances that they fully control their data in a safe, secure, and compliant environment when they use AWS. For more information about AWS’s compliance with the CISPE Code of Conduct, go to the CISPE website.

As well as giving customers a number of tools and services to build GDPR-compliant environments, AWS has achieved a number of internationally recognized certifications and accreditations. In the process, AWS has demonstrated compliance with third-party assurance frameworks such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1, and SOC 1, SOC 2, and SOC 3. AWS also helps customers meet local security standards such as BSI’s Common Cloud Computing Controls Catalogue (C5) that is important in Germany. We will continue to pursue certifications and accreditations that are important to AWS customers.

What can you do?

Although the GDPR will not be enforceable until May 25, 2018, we are encouraging our customers and partners to start preparing now. If you have already implemented a high bar for compliance, security, and data privacy, the move to GDPR should be simple. However, if you have yet to start your journey to GDPR compliance, we urge you to start reviewing your security, compliance, and data protection processes now to ensure a smooth transition in May 2018.

You should consider the following key points in preparation for GDPR compliance:

  • Territorial reach – Determining whether the GDPR applies to your organization’s activities is essential to ensuring your organization’s ability to satisfy its compliance obligations.
  • Data subject rights – The GDPR enhances the rights of data subjects in a number of ways. You will need to make sure you can accommodate the rights of data subjects if you are processing their personal data.
  • Data breach notifications – If you are a data controller, you must report data breaches to the data protection authorities without undue delay and in any event within 72 hours of you becoming aware of a data breach.
  • Data protection officer (DPO) – You may need to appoint a DPO who will manage data security and other issues related to the processing of personal data.
  • Data protection impact assessment (DPIA) – You may need to conduct and, in some circumstances, you might be required to file with the supervisory authority a DPIA for your processing activities.
  • Data processing agreement (DPA) – You may need a DPA that will meet the requirements of the GDPR, particularly if personal data is transferred outside the European Economic Area.

AWS offers a wide range of services and features to help customers meet requirements of the GDPR, including services for access controls, monitoring, logging, and encryption. For more information about these services and features, see EU Data Protection.

At AWS, security, data protection, and compliance are our top priorities, and we will continue to work vigilantly to ensure that our customers are able to enjoy the benefits of AWS securely, compliantly, and without disruption in Europe and around the world. As we head toward May 2018, we will share more news and resources with you to help you comply with the GDPR.

– Steve

Pirate Bay Founder Launches Anonymous Domain Registration Service

Post Syndicated from Ernesto original https://torrentfreak.com/pirate-bay-founder-launches-anonymous-domain-registration-service-170419/

In recent years, copyright holders have taken aim at the domain name industry, calling on players to take a more active approach against piracy.

One of the often heard complaints is that website owners use Whois masking services to ensure their privacy.

There are several companies dedicated to offering privacy to domain registrants and today, rightsholders will see a well-known adversary entering the market.

Former Pirate Bay spokesperson and co-founder Peter Sunde has just announced his latest venture. Keeping up his fight for privacy on the Internet, he’s launching a new company called Njalla, that helps site operators to shield their identities from prying eyes.

The name Njalla refers to the traditional hut that Sámi people use to keep predators at bay. It’s built on a tall stump of a tree or pole and is used to store food or other goods.

On the Internet, Njalla helps to keep people’s domain names private. While anonymizer services aren’t anything new, Sunde’s company takes a different approach compared to most of the competition.

Njalla

With Njalla, customers don’t buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust.

A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to.

“Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions,” Njalla notes.

TorrentFreak spoke to Peter Sunde who says that the service is needed to ensure that people can register domain names without having to worry about being exposed.

“Njalla is needed because we’re going the wrong way in society regarding people’s right to be anonymous. With social media pressuring us to be less anonymous and services being centralized, we need alternatives,” Sunde says.

The current domain privacy services aren’t really providing anonymity, Sunde believes, that’s why he decided to fill this gap.

“All key parts of the Internet need to have options for anonymity, and the domain name area is something which was never really protected. At best you can buy a domain name using ‘privacy by proxy’ services, which are aimed more at limiting spam than actually protecting your privacy.”

As co-founder of The Pirate Bay, Njalla might also get some pirate sites as customers. Since Njalla owns the domain names, this could lead to some pressure from rightsholders, but Sunde isn’t really worried about this.

“The domain name itself is not really what they’re after. They’re after the content that the domain name points to. So we’re never helping with anything that might infringe on anything anyhow, so it’s a non-question for us,” Sunde says.

For those who are interested, Njalla just opened its website for business. The company is registered with the fitting name 1337 LLC and is based in Nevis, a small island in the Caribbean Sea.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Kodi Addon Repository Sees Massive Surge in Users

Post Syndicated from Ernesto original https://torrentfreak.com/kodi-addon-repository-sees-massive-surge-users-170417/

Streaming piracy is on the rise with popular media player Kodi at the center of attention.

While Kodi itself is a neutral platform, millions of people use third-party addons to turn it into the ultimate pirate machine.

TVAddons is of the largest repositories of these plugins. The site, which is also the home of FreeTelly, a custom pre-loaded version of Kodi for PC and Mac, is the go-to destination for those who want to upgrade their Kodi experience.

Over the past year-and-a-half, interest in Kodi has skyrocketed, something that’s in large part driven by “pirate” addons. As such, TVAddons has also seen its visitor numbers shoot through the roof.

The site’s latest numbers show how rapidly the platform is growing. Roughly a year ago the repository had about 10 million unique users per month, and last month this number was reached in a single day.

Most of these users aren’t visiting the website. They are people checking in from their devices to see if there’s anything new. Still, the numbers are quite impressive.

The graph below shows that every month more than forty million Kodi-enabled devices with their addons are online, checking for updates.

In terms of actual bandwidth used, there was also a milestone reached last month. In total, TVAddons users transferred a petabyte of data from the site, or one quadrillion (short scale) bytes.

The traffic is divided over a wide array of addons. The site currently lists 1,544 different versions, of which the community-maintained Genesis addon is one of the most popular. How frequently these individual addons are used, remains a mystery though.

TVAddons’ Eleazar informs TorrentFreak that they don’t keep any statistics on the use of individual addons. In part to avoid a competitive atmosphere, but also for privacy reasons.

“We don’t allow addons to keep individual stats. It would turn our open source and positive ‘pay-it-forward’ minded community into a place of fierce competition, which is not part of our principles. It would also be a privacy issue, no one wants their piracy tracked,” he says.

In addition, the site is also doing its best to keep profit-seekers away from its platform. This includes people who are trying to sell paid access to pirated content, including unofficial IPTV suppliers.

“We do not support all these profit-seeking operations like paid IPTV, people selling preloaded Kodi boxes and other stuff. We do what we do for free, for the purpose of sharing and working on our own skills, not so that other people can sell it or try to advertise to our user base,” Eleazar notes.

Going forward, TVAddons will focus on improving its current services so that users can have access to media content in the most convenient way possible. By hosting pirate addons, the site itself isn’t particularly liked by copyright holders, but that doesn’t stop the team from moving ahead.

“Right now we’re just working on making things easier and more efficient,” Eleazar says.

Given the recent growth, the public agrees that the team is on the right path. It will be interesting to see if the repository can keep up these growth numbers. They could easily go up to 100 million unique users this time next year, or down to zero, depending on how the wind blows.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Pollexy – Building a Special Needs Voice Assistant with Amazon Polly and Raspberry Pi

Post Syndicated from Ana Visneski original https://aws.amazon.com/blogs/aws/pollexy-building-a-special-needs-voice-assistant-with-amazon-polly-and-raspberry-pi/

April is Autism Awareness month and about 1 in 68 children in the U.S. have been identified with autism spectrum disorder (ASD) (CDC 2014). In this post from Troy Larson, a Sr. Devops Cloud Architect here at AWS, you get an introduction to a project he has been working on to help his son Calvin.

I have been asked how the minds at AWS come up with so many different ideas. Sometimes they come from a deeply personal place, where someone sees a way to help others. Pollexy is an amazing example of just that. Read about Pollexy and then watch the video here.

-Ana


Background

As a computer programming parent of a 16-year old non-verbal teenage boy with autism, I have been constantly searching over the years to find ways to use technology to make our lives together safer, happier and more comfortable. At the core of this challenge is the most basic of all human interaction—communication. While Calvin is able to respond to verbal instruction, he is not able to speak responsively. In his entire life, we’ve never had a conversation. He is able to be left alone in his room to play, but most every task or set of tasks requires a human to verbally prompt him along the way. Having other children and responsibilities in the home, at times the intensity of supervision can be negatively impactful on the home dynamic.

Genesis

When I saw the announcement of Amazon Polly and Amazon Lex at re:Invent last year, I immediately started churning on how we could leverage these technologies to assist Calvin. He responds well to human verbal prompts, but would he understand a digital voice? So one Saturday, I setup a Raspberry Pi in his room and closed his door and crouched around the corner with other family members so Calvin couldn’t see us. I connected to the Raspberry Pi and instructed Polly to speak in Joanna’s familiar pacific tone, “Calvin, it’s time to take a potty break. Go out of your bedroom and go to the bathroom.” In a few seconds, we heard his doorknob turn and I poked my head out of my hiding place. Calvin passed by, looking at me quizzically, then went into the bathroom as Joanna had instructed. We all looked at each other in amazement—he had listened and responded perfectly to the completely invisible voice of someone he’d never heard before. After discussing some ideas around this with co-workers, a colleague suggested I enter the IoT and AI Science Fair at our annual AWS Sales Kick-Off meeting. Less than two months after the Polly and Lex announcement and 3500 lines of code later, Pollexy—along with Calvin–debuted at the Science Fair.

Overview

Pollexy (“Polly” + “Lex”) is a Raspberry Pi and mobile-based special needs verbal assistant that lets caretakers schedule audio task prompts and messages both on a recurring schedule and/or on-demand. Caretakers can schedule regular medicine reminder messages or hourly bathroom break messages, for example, and at the same time use their Amazon Echo and mobile device to request a specific message be played immediately. Caretakers can even set it up so that the person needs to confirm that they’ve heard the message. For example, my son won’t pay attention to Pollexy unless Pollexy first asks him to “Push the blue button.” Pollexy will wait until he has pushed the button and then speak the actual message. Other people may be able to respond verbally using Lex, or not require a confirmation at all. Pollexy can be tailored to what works best.

And then most importantly—and most challenging—in a large house, how do we make sure the person is in the room where we play the message? What if we have a special needs adult living in an in-law suite? Are they in the living room or the kitchen? And what about multiple people? What if we have multiple people in different areas of the house, each of whom has a message? Let’s explore the basic elements and tie the pieces together.

Basic Elements of Pollexy

In the spirit of Amazon’s Leadership Principle “Invent and Simplify,” we want to minimize the complexity of the Pollexy architecture. We can break Pollexy down into three types of objects and three components, all of which work together in a way that’s easily explainable.

Object #1: Person

Pollexy can support any number of people. A person is a uniquely identifiable name. We can set basic preferences such as “requires confirmation” and most importantly, we can define a location schedule. This means that we can create an Outlook-like schedule that sets preferences where someone should be in the house.

Object #2: Location

A location is simply a uniquely identifiable location where a device is physically sitting. Based on the user’s location schedule, Pollexy will know which device to contact first, second, third, etc. We can also “mute” devices if needed (naptime, etc.)

Object #3: Message

Obviously, this is the actual message we want to play. Attached to each message is a person and a recurring schedule (only if it’s not a one-time message). We don’t store location with the message, because Pollexy figures out the person’s location when the message is ready to be delivered.

Component #1: Scheduler

Every message needs to be scheduled. This is a command-line tool where you basically say Tell “Calvin” that “you need to brush your teeth” every night at 8 p.m. This message is then stored in DynamoDB, waiting to be picked up by the queueing Lambda function.

Component #2: Queueing Engine

Every minute, a Lambda runs and checks the scheduler to see if there is a message or messages ready to be delivered. If a message is ready, it looks up the person’s location schedule and figures out where they are and then pushes the message or messages into an SQS queue for that location.

Component #3: Speaker Engine

Every minute on the Raspberry Pi device, the speaker engine spins up and checks the SQS for its location. If there are messages, then the speaker engine looks at the user’s preferences and initiates communication to convey the message. If the person doesn’t respond, the speaker engine will check if the person has a secondary location in their schedule and drop the message in the SQS Queue for that location. In the end, a message will either be delivered or eventually just timeout (if someone is out of the house for the day).

Respect and Freedom are the Keys

We often take our personal privacy and respect for granted, so imagine even for a special needs person, the lack of privacy and freedom around having a person constantly in your presence. This is exaggerated for those in the autism spectrum where invasion of personal space can escalate a sense of invasion, turning into anger and frustration. Pollexy becomes their own personal, gentle and never-flustered friend to coach to them along the way, giving them confidence, respect and the sense of privacy and freedom we all want to enjoy.

-Troy Larson